Health Information Compliance Alert

Published on Sat Nov 11, 2006 PDF

Employers could be at risk when they collect genetic data from employees.

Knowing which rules to follow when it comes to keeping medical records is challenging enough, with privacy officers struggling to choose between HIPAA requirements and state mandates. But with genetic information -- the situation gets murkier still.

And that situation is plenty murky, according to a report commissioned by the California HealthCare Foundation and prepared by the Georgetown University Health Privacy Project.

Genetics and Privacy: A Patchwork of Protections surveys U.S. policy on the collection, use, storage and protection of genetic information.

The conclusion? There's a need for clear and consistent nation-wide guidelines to ensure that genetic information is kept out of the wrong hands. And there's need for a consistent policy governing when genetic testing should be "encouraged, discouraged, facilitated, or prohibited." As a result, genetic privacy policies often vary from state to state, employer to employer and insurer to insurer

While conceding that much genetic information will be protected by Health Insurance Portability and Accountability Act privacy regulations, so long as it meets the HIPAA definition of protected health information, the report nevertheless identifies five major gaps it says still remain in the protection of genetic information:

1. Genetic source materials from which a person's genetic information can easily be obtained -- such as tissue, blood and hair -- are not protected by HIPAA;

2. Key entities with access to genetic information -- including employers, pharmaceutical companies, pharmacy benefit managers, workers compensation managers, life insurers and disability income insurers -- are covered only indirectly by HIPAA;

3. Certain HIPAA privacy regulations are "too permissive," according to the group, especially those governing the use of protected health information -- including genetic information -- for health-related marketing, and the access to that information by law enforcement officials;

4. There is no private right of action under HIPAA which allows individuals whose rights have been violated to seek compensation; and

5. There is little policy governing the collection, use and disclosure of genetic information on the Internet.

"The federal government has yet to develop a clear policy about the collection, use, storage and protection of genetic information," says CHCF's Sam Karp. "The result is a patchwork of protections that leaves individuals and families vulnerable."

Genetics, Employers and Privacy

One of the study's key concerns is the potential for the abuse of genetic information by employers.

The report points out that while HIPAA goes to "great length" to prevent employers from inappropriately acquiring and using workers' protected health information, the reg can't always keep all health information out of employers' hands. Some employers that sponsor their employees' health plans, for example, administer those plans in-house. In such instances an employer could learn that an employee had undergone a genetic test when the worker submits a claim for the test.

Testing often includes DNA data: In other cases, employers can acquire their employees' genetic information more directly. While acknowledging that there is little hard data on the issue, the report cites one survey that found one percent of major U.S. firms test employees for sickle cell anemia, 0.4 percent genetically test for Huntington's disease, and 14 percent conduct medical examinations -- which could include genetic testing -- to detect susceptibility to workplace hazards. Additionally, the report claims that 20 percent of major U.S. firms collect information about their employees' family medical history, a rich source of genetic information.

To illustrate the potential dangers posed by such practices, the report cites the Burlington Northern and Santa Fe Railroad Co. case, in which the company forced employees who had developed carpal tunnel syndrome to undergo medical exams that included -- without their knowledge or consent -- testing for a genetic marker that would supposedly show they were genetically predisposed to the condition.

To see the report go to www.chcf.org/documents/ihealth/GeneticsAndPrivacy.pdf.